You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
215 lines
6.5 KiB
215 lines
6.5 KiB
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Peter Jones <pjones@redhat.com>
|
|
Date: Tue, 8 Aug 2017 15:44:44 -0400
|
|
Subject: [PATCH] Better authorization scripts. Again.
|
|
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
---
|
|
src/Makefile | 12 ++++++----
|
|
src/pesign-authorize | 56 +++++++++++++++++++++++++++++++++++++++++++++
|
|
src/pesign-authorize-groups | 30 ------------------------
|
|
src/pesign-authorize-users | 30 ------------------------
|
|
src/pesign.service.in | 3 +--
|
|
src/pesign.sysvinit.in | 3 +--
|
|
6 files changed, 65 insertions(+), 69 deletions(-)
|
|
create mode 100755 src/pesign-authorize
|
|
delete mode 100644 src/pesign-authorize-groups
|
|
delete mode 100644 src/pesign-authorize-users
|
|
|
|
diff --git a/src/Makefile b/src/Makefile
|
|
index 654b792..84ad130 100644
|
|
--- a/src/Makefile
|
|
+++ b/src/Makefile
|
|
@@ -7,7 +7,7 @@ include $(TOPDIR)/Make.defaults
|
|
|
|
BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
|
|
SVCTARGETS=pesign.sysvinit pesign.service
|
|
-TARGETS=$(BINTARGETS) $(SVCTARGETS)
|
|
+TARGETS=$(BINTARGETS) $(SVCTARGETS) pesign-users pesign-groups
|
|
|
|
all : deps $(TARGETS)
|
|
|
|
@@ -65,6 +65,9 @@ install_sysvinit: pesign.sysvinit
|
|
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/
|
|
$(INSTALL) -m 755 pesign.sysvinit $(INSTALLROOT)/etc/rc.d/init.d/pesign
|
|
|
|
+pesign-users pesign-groups :
|
|
+ echo pesign > $@
|
|
+
|
|
install :
|
|
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
|
|
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
|
|
@@ -88,10 +91,9 @@ install :
|
|
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/
|
|
$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
|
|
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
|
|
- $(INSTALL) -m 750 pesign-authorize-users $(INSTALLROOT)$(libexecdir)/pesign/
|
|
- $(INSTALL) -m 750 pesign-authorize-groups $(INSTALLROOT)$(libexecdir)/pesign/
|
|
+ $(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
|
|
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
|
|
- $(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/users
|
|
- $(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/groups
|
|
+ $(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users
|
|
+ $(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups
|
|
|
|
.PHONY: all deps clean install
|
|
diff --git a/src/pesign-authorize b/src/pesign-authorize
|
|
new file mode 100755
|
|
index 0000000..a496f60
|
|
--- /dev/null
|
|
+++ b/src/pesign-authorize
|
|
@@ -0,0 +1,56 @@
|
|
+#!/bin/bash
|
|
+set -e
|
|
+set -u
|
|
+
|
|
+#
|
|
+# With /run/pesign/socket on tmpfs, a simple way of restoring the
|
|
+# acls for specific users is useful
|
|
+#
|
|
+# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
|
|
+#
|
|
+
|
|
+# License: GPLv2
|
|
+declare -a fileusers=()
|
|
+declare -a dirusers=()
|
|
+for user in $(cat /etc/pesign/users); do
|
|
+ dirusers[${#dirusers[@]}]=-m
|
|
+ dirusers[${#dirusers[@]}]="u:$user:rwx"
|
|
+ fileusers[${#fileusers[@]}]=-m
|
|
+ fileusers[${#fileusers[@]}]="u:$user:rw"
|
|
+done
|
|
+
|
|
+declare -a filegroups=()
|
|
+declare -a dirgroups=()
|
|
+for group in $(cat /etc/pesign/groups); do
|
|
+ dirgroups[${#dirgroups[@]}]=-m
|
|
+ dirgroups[${#dirgroups[@]}]="g:$group:rwx"
|
|
+ filegroups[${#filegroups[@]}]=-m
|
|
+ filegroups[${#filegroups[@]}]="g:$group:rw"
|
|
+done
|
|
+
|
|
+update_subdir() {
|
|
+ subdir=$1 && shift
|
|
+
|
|
+ setfacl -bk "${subdir}"
|
|
+ setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
|
|
+ for x in "${subdir}"* ; do
|
|
+ if [ -d "${x}" ]; then
|
|
+ setfacl -bk ${x}
|
|
+ setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
|
|
+ update_subdir "${x}/"
|
|
+ elif [ -e "${x}" ]; then
|
|
+ setfacl -bk ${x}
|
|
+ setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
|
|
+ else
|
|
+ :;
|
|
+ fi
|
|
+ done
|
|
+}
|
|
+
|
|
+for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
|
|
+ if [ -d "${x}" ]; then
|
|
+ update_subdir "${x}"
|
|
+ else
|
|
+ :;
|
|
+ fi
|
|
+done
|
|
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
|
|
deleted file mode 100644
|
|
index cf51fb6..0000000
|
|
--- a/src/pesign-authorize-groups
|
|
+++ /dev/null
|
|
@@ -1,30 +0,0 @@
|
|
-#!/bin/bash
|
|
-set -e
|
|
-
|
|
-#
|
|
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
|
|
-# acls for specific groups is useful
|
|
-#
|
|
-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
|
|
-#
|
|
-
|
|
-# License: GPLv2
|
|
-
|
|
-if [ -r /etc/pesign/groups ]; then
|
|
- for group in $(cat /etc/pesign/groups); do
|
|
- if [ -d /var/run/pesign ]; then
|
|
- setfacl -m g:${group}:rx /var/run/pesign
|
|
- if [ -e /var/run/pesign/socket ]; then
|
|
- setfacl -m g:${group}:rw /var/run/pesign/socket
|
|
- fi
|
|
- fi
|
|
- for x in /etc/pki/pesign*/ ; do
|
|
- if [ -d ${x} ]; then
|
|
- setfacl -m g:${group}:rx ${x}
|
|
- for y in ${x}{cert8,key3,secmod}.db ; do
|
|
- setfacl -m g:${group}:rw ${y}
|
|
- done
|
|
- fi
|
|
- done
|
|
- done
|
|
-fi
|
|
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
|
|
deleted file mode 100644
|
|
index 940138e..0000000
|
|
--- a/src/pesign-authorize-users
|
|
+++ /dev/null
|
|
@@ -1,30 +0,0 @@
|
|
-#!/bin/bash
|
|
-set -e
|
|
-
|
|
-#
|
|
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
|
|
-# acls for specific users is useful
|
|
-#
|
|
-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
|
|
-#
|
|
-
|
|
-# License: GPLv2
|
|
-
|
|
-if [ -r /etc/pesign/users ]; then
|
|
- for username in $(cat /etc/pesign/users); do
|
|
- if [ -d /var/run/pesign ]; then
|
|
- setfacl -m g:${username}:rx /var/run/pesign
|
|
- if [ -e /var/run/pesign/socket ]; then
|
|
- setfacl -m g:${username}:rw /var/run/pesign/socket
|
|
- fi
|
|
- fi
|
|
- for x in /etc/pki/pesign*/ ; do
|
|
- if [ -d ${x} ]; then
|
|
- setfacl -m g:${username}:rx ${x}
|
|
- for y in ${x}{cert8,key3,secmod}.db ; do
|
|
- setfacl -m g:${username}:rw ${y}
|
|
- done
|
|
- fi
|
|
- done
|
|
- done
|
|
-fi
|
|
diff --git a/src/pesign.service.in b/src/pesign.service.in
|
|
index aaa408e..c75a000 100644
|
|
--- a/src/pesign.service.in
|
|
+++ b/src/pesign.service.in
|
|
@@ -6,5 +6,4 @@ PrivateTmp=true
|
|
Type=forking
|
|
PIDFile=/var/run/pesign.pid
|
|
ExecStart=/usr/bin/pesign --daemonize
|
|
-ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-users
|
|
-ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-groups
|
|
+ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
|
|
diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
|
|
index dc508d8..b0e0f84 100644
|
|
--- a/src/pesign.sysvinit.in
|
|
+++ b/src/pesign.sysvinit.in
|
|
@@ -27,8 +27,7 @@ start(){
|
|
RETVAL=$?
|
|
echo
|
|
touch /var/lock/subsys/pesign
|
|
- @@LIBEXECDIR@@/pesign/pesign-authorize-users
|
|
- @@LIBEXECDIR@@/pesign/pesign-authorize-groups
|
|
+ @@LIBEXECDIR@@/pesign/pesign-authorize
|
|
}
|
|
|
|
stop(){
|